+ Start a Discussion
Fernando Morales OrtizFernando Morales Ortiz 

Built-in XSS Protection unit challenge keeps failing when trying to Check

Hi,

I'm currently working with the "Discover Built-in XSS Protections in Force.com" Unit of Developer Advanced Trail. The point of the challenge is to edit the comments below each use of "{!sampleMergeField1}" to determine if is vulnerable to XSS. 

Based on the criteria found within the unit and in the guidelines in the Secure Coding Cross Site Scripting page for Built in Auto Encoding (All merge-fields are always auto HTML encoded provided they: do not occur within a <style> or <script> tag, AND do not occur within an apex tag with the escape='false' attribute) I came up with the following answers:
<apex:page controller="Built_In_XSS_Protections_Challenge" sidebar="false" tabStyle="Built_In_XSS_Protections_Challenge__tab">
<apex:sectionHeader title="Built-In XSS Protections Challenge" />
<apex:form >
    <apex:pageBlock >
        <c:Classic_Error />
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">          
            
            <apex:outputText value="{!sampleMergeField1}"/>
            <!-- sampleMergeField1 is vulnerable to XSS: NO -->


            <apex:outputText value="{!sampleMergeField2}" escape="false"/>
            <!-- sampleMergeField2 is vulnerable to XSS: YES -->


            <apex:outputText >
                {!sampleMergeField3}
            </apex:outputText>
            <!-- sampleMergeField3 is vulnerable to XSS: NO -->
       
       
            <style>
                .foo {
                    color: #{!sampleMergeField4};
                }
            </style>
            <!-- sampleMergeField4 is vulnerable to XSS: YES -->
             
            
            {!sampleMergeField5}
            <!-- sampleMergeField5 is vulnerable to XSS: NO -->
            
            
            <script>
                var x = '{!sampleMergeField6}';
            </script>
            <!-- sampleMergeField6 is vulnerable to XSS: YES -->
            
            
            <apex:outputLabel value="{!sampleMergeField7}" escape="false"/>
            <!-- sampleMergeField7 is vulnerable to XSS: YES -->
            
       
        </apex:pageBlockSection>
        <apex:pageBlockSection title="Code links" columns="1">
            <apex:outputPanel >
                <ul>
                    <li><c:codeLink type="Visualforce" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Visualforce Page"/></li>            
                    <li><c:codeLink type="Apex" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Apex Controller"/></li>
                </ul>
            </apex:outputPanel>        
        </apex:pageBlockSection>        
    </apex:pageBlock>          
</apex:form>

But everytime y check the challenge, the same message is displayed:

User-added image

I already checked that I am pointing to the right playground. 

If you can check it and help find where I am going wrong I would be thankful.

Thanks


 
Best Answer chosen by Fernando Morales Ortiz
Fernando Morales OrtizFernando Morales Ortiz
Apparently, there is a mismatch between the Visualforce Page version of the expected correct result for the challenge and the Visualforce Page version available in the Developer Edition.

It is necessary to change the comments to match the mentioned ones in the Challenge section, and also you must add a new line after the first use of {!sampleMergeField1} to match it to the line 10 (as the Challenge details suggest).

This code passed the challenge:
<apex:page controller="Built_In_XSS_Protections_Challenge" sidebar="false" tabStyle="Built_In_XSS_Protections_Challenge__tab">
<apex:sectionHeader title="Built-In XSS Protections Challenge" />
<apex:form >
    <apex:pageBlock >
        <c:Classic_Error />
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">    
              
            
            <apex:outputText value="{!sampleMergeField1}"/>
            <!-- Line 10 is vulnerable to XSS: NO -->


            <apex:outputText value="{!sampleMergeField2}" escape="false"/>
            <!-- Line 14 is vulnerable to XSS: YES -->


            <apex:outputText >
                {!sampleMergeField3}
            </apex:outputText>
            <!-- Line 19 is vulnerable to XSS: NO -->
       
       
            <style>
                .foo {
                    color: #{!sampleMergeField4};
                }
            </style>
            <!-- Line 26 is vulnerable to XSS: YES -->
             
            
            {!sampleMergeField5}
            <!-- Line 32 is vulnerable to XSS: NO -->
            
            
            <script>
                var x = '{!sampleMergeField6}';
            </script>
            <!-- Line 37 is vulnerable to XSS: YES -->
            
            
            <apex:outputLabel value="{!sampleMergeField7}" escape="false"/>
            <!-- Line 42 is vulnerable to XSS: YES -->
            
       
        </apex:pageBlockSection>
        <apex:pageBlockSection title="Code links" columns="1">
            <apex:outputPanel >
                <ul>
                    <li><c:codeLink type="Visualforce" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Visualforce Page"/></li>            
                    <li><c:codeLink type="Apex" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Apex Controller"/></li>
                </ul>
            </apex:outputPanel>        
        </apex:pageBlockSection>        
    </apex:pageBlock>          
</apex:form>              
</apex:page>

Thanks.

 

All Answers

Fernando Morales OrtizFernando Morales Ortiz
Apparently, there is a mismatch between the Visualforce Page version of the expected correct result for the challenge and the Visualforce Page version available in the Developer Edition.

It is necessary to change the comments to match the mentioned ones in the Challenge section, and also you must add a new line after the first use of {!sampleMergeField1} to match it to the line 10 (as the Challenge details suggest).

This code passed the challenge:
<apex:page controller="Built_In_XSS_Protections_Challenge" sidebar="false" tabStyle="Built_In_XSS_Protections_Challenge__tab">
<apex:sectionHeader title="Built-In XSS Protections Challenge" />
<apex:form >
    <apex:pageBlock >
        <c:Classic_Error />
        <apex:pageMessages />      
        <apex:pageBlockSection title="Demo" columns="1" id="tableBlock">    
              
            
            <apex:outputText value="{!sampleMergeField1}"/>
            <!-- Line 10 is vulnerable to XSS: NO -->


            <apex:outputText value="{!sampleMergeField2}" escape="false"/>
            <!-- Line 14 is vulnerable to XSS: YES -->


            <apex:outputText >
                {!sampleMergeField3}
            </apex:outputText>
            <!-- Line 19 is vulnerable to XSS: NO -->
       
       
            <style>
                .foo {
                    color: #{!sampleMergeField4};
                }
            </style>
            <!-- Line 26 is vulnerable to XSS: YES -->
             
            
            {!sampleMergeField5}
            <!-- Line 32 is vulnerable to XSS: NO -->
            
            
            <script>
                var x = '{!sampleMergeField6}';
            </script>
            <!-- Line 37 is vulnerable to XSS: YES -->
            
            
            <apex:outputLabel value="{!sampleMergeField7}" escape="false"/>
            <!-- Line 42 is vulnerable to XSS: YES -->
            
       
        </apex:pageBlockSection>
        <apex:pageBlockSection title="Code links" columns="1">
            <apex:outputPanel >
                <ul>
                    <li><c:codeLink type="Visualforce" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Visualforce Page"/></li>            
                    <li><c:codeLink type="Apex" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Apex Controller"/></li>
                </ul>
            </apex:outputPanel>        
        </apex:pageBlockSection>        
    </apex:pageBlock>          
</apex:form>              
</apex:page>

Thanks.

 
This was selected as the best answer
ChellappaChellappa
@Fernando,

Thanks for the input. But this is ridiculous from Salesforce trailhead.
They gave a wrong lines for the VF page and also the instruction was not clear that the Line nos should match ..
Did you just figure out an extra line is needed because the first comment was on Line 9 but the instruction was given Line 10
Thanks
Jeff_MeyersJeff_Meyers
I had this exact same issue and was bashing my head against a wall. Thanks for posting! Good to know I'm not crazy. 
Anurag Jain 73Anurag Jain 73
I tried the exact code given by Fernando, the code still doesn't work. Can someone please help?
Michael Sobczak 22Michael Sobczak 22
For anyone trying this recently, you don't need to update the comments to enter line numbers.  Also the "correct" answer for sampleMergeField5 is:

            {!sampleMergeField5}
            <!-- sampleMergeField5 is vulnerable to XSS: YES -->

I would have thought the answer would be NO, since the platform seems to escape any data that is rendereed in a page.
ease uease u
Download, and Stream Daily South african Podcast, Songs, Fakaza (https://sahiphopza.com/), hip-hop (https://sahiphopza.com/download-mp3/future-hardly/), mixtapes, videos & news updated daily on Sahiphopza!!!
Tiwari VedantTiwari Vedant
Please mark it as best answer-

Farnando's code is not working for current challenge-
 
<apex:page controller="Built_In_XSS_Protections_Challenge" sidebar="false" tabStyle="Built_In_XSS_Protections_Challenge__tab"> 
<apex:sectionHeader title="Built-In XSS Protections Challenge" /> 
<apex:form > 
<apex:pageBlock > 
<c:Classic_Error /> 
<apex:pageMessages /> 
<apex:pageBlockSection title="Demo" columns="1" id="tableBlock"> 
<apex:outputText value="{!sampleMergeField1}"/>
 <!-- sampleMergeField1 is vulnerable to XSS: NO --> 
<apex:outputText value="{!sampleMergeField2}" escape="false"/>
 <!-- sampleMergeField2 is vulnerable to XSS: YES --> 
<apex:outputText > {!sampleMergeField3} </apex:outputText> 
<!-- sampleMergeField3 is vulnerable to XSS: NO --> 
<style> .foo { color: #{!sampleMergeField4}; } </style> 
<!-- sampleMergeField4 is vulnerable to XSS: YES --> 
{!sampleMergeField5} 
<!-- sampleMergeField5 is vulnerable to XSS: YES -->
 <script> var x = '{!sampleMergeField6}'; </script> 
<!-- sampleMergeField6 is vulnerable to XSS: YES --> 
<apex:outputLabel value="{!sampleMergeField7}" escape="false"/>
 <!-- sampleMergeField7 is vulnerable to XSS: YES --> 
</apex:pageBlockSection> 
<apex:pageBlockSection title="Code links" columns="1"> 
<apex:outputPanel > 
<ul> 
<li><c:codeLink type="Visualforce" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Visualforce Page"/>
</li> 
<li><c:codeLink type="Apex" namespace="security_thail" name="Built_In_XSS_Protections_Challenge" description="Apex Controller"/></li> 
</ul> 
</apex:outputPanel> 
</apex:pageBlockSection> 
</apex:pageBlock> 
</apex:form> 
</apex:page>

 
Ashutosh Tripathi 72Ashutosh Tripathi 72
Mark Field sampleMergeField5  to YES.
Swati Sharma 45Swati Sharma 45
@vedant tiwari 9: Thanks! It worked
Christian Drachenberg RodriguezChristian Drachenberg Rodriguez
just like Michael Sobczak 22 and Ashutosh Tripathi 72 said, mark the sampleMergeField5  to YES. works for me, however, probbably is an error in the trailhead challenge because i tested with sampleMergeField2 and SampleMergeField5 and the last one was no vulnerable. 

User-added image
Caleb Kuester 27Caleb Kuester 27
Can confirm. Indicating option 5 as "YES" works and the "Question, feedback or help" link is just decorative.

This is not a different question from what gave the above "success," but it definitely requires a different set of answers.

According to the notes in the Trailhead, it should be safe.